Is it good policy to use non-mainstream applications, or does it depend? For example is it better to use a less popular browser, media player or operating system as it is less likely a target for hackers to exploit? On the other hand if it's more popular it may have a larger community for support and if it's open source then it has more eyes and people fixing it.

To clarify I see 3 positions one can stand on this: it's better, it's worse, it depends on the specific situation/irrelevant.

For example I once heard using Opera web browser is safe because (in Turbo mode) it proxies traffic. I thought it may be better because it's less popular.

Another consideration is the popularity of the security software itself. It would be reasonable for a virus writer/hacker would aim to defeat the most popular security checks, for example a virus may be designed to avoid detection or knock out Avast but may not have bothered with Trend Micro.

You believe Opera would be more secure because it sends ALL your traffic through a single server you have no control over? I'd consider it to be the exact opposite of safer.
– GrantAug 22 '12 at 13:36

@Grant the argument I heard is that Opera's server would act like a buffer and any attacks made by the website would happen to it.
– CeleritasAug 22 '12 at 18:35

1

Should I live in a less crowded area, with less criminal acts per year? (Answer: maybe)
– curiousguyAug 24 '12 at 5:05

I think the answer to your title is "yes". Using IE5 nowadays may actually be secure, just need to hope there aren't any IE6 exploits in the wild that affect IE5 too. Also, look at the "there are no virusses on a Mac!" argument. A less used platform, like Opera, is almost certainly safer.
– LucAug 24 '12 at 21:05

@Luc but for all systems that you would use IE5 on there are exploits in the wild :-)
– kinokijufAug 25 '12 at 13:02

8 Answers
8

It depends. If all reasonably functional alternatives are fundamentally prone to programming errors, like it is the case with browsers, it is probably a good idea to use a not-so-popular one.

In particular, if your threat model does not include sophisticated adversaries that wait, observe and develop attacks specifically for your setup, using the not-so-popular software will free you from a lot of hit-and-run/mass-scanning/worm attacks. I think this is an effective security policy for "practical" systems, i.e., any larger industry/home setup where the software and hardware configuration cannot be designed/bought/enforced from the start with security in mind.

Obviously, you should also not use barely maintained or non-maintained software. Just because its not-so-popular doesn't mean its secure.

The metrics are of limited usability. Perhaps most useful and easiest to understand is the MTTF, which is the mean time between reported security incidents for a particular package.

The system uses the Debian repositories and advisories to infer this information, but of course a bug in the Debian's vlc package is likely also a bug in everyone else's vlc package.

An average bug rate X doesn't mean that incidents occur at that rate on your particular platform. Its an upper boundary, covering all possible combinations. If you're running Windows, chances are that many of Debian's vlc security advisories don't apply to your Windows vlc.

Using obscure applications is, as my phrasing suggests, a form of security through obscurity. Such reasoning is false, and only leads to a false sense of security. Obscurity is not security.

Don't select your security-critical software based on how popular it is or isn't; select it based on the amount of analysis that has gone into the software, how quick the vendor is to patch security issues, and what provable security measures they offer.

Unfortunately, its basically infeasible for a non-security expert or people without lots of practical experience to determine these metrics (analysis, measures, patching) for a given software. Most you get is a sourceforge project page or a vendor homepage with PR gibberish.
– pepeAug 22 '12 at 9:46

4

I agree with the "security obscurity" question but I read the question as possibly using it for "risk reduction", which I do think has some merits.
– Mark HillickAug 22 '12 at 10:24

4

@MarkHillick I disagree that it's a risk reduction. It's a risk reduction until someone actually breaks it, at which point it's become a huge problem. It's a false sense of security. Obscurity provides no provable benefit, only a perceptive benefit.
– PolynomialAug 22 '12 at 10:30

4

@Polynomial I didn't say use "obscurity" did I? I don't consider Opera obscure, do you? I said "less popular" but well maintained and patched by a reputable community. Obscurity != Less Popular, I think there's a difference.
– Mark HillickAug 22 '12 at 10:35

3

The same goes for risk. You can argue that something less popular is a lower risk, but that's like saying "ok, here's a gun with 256 barrels, and only one bullet, go play Russian roulette". The probability might be low, but the security implications are high. Probability also does not mean a lower incident count - an unbiased coin might still land on heads 500 times in a row - it's just really unlikely. I'm not discounting your answer, I'm discounting the security of relying on a probability.
– PolynomialAug 22 '12 at 11:34

@Polynomial makes very good points regarding "security through obscurity" and you definitely shouldn't secure yourself based on "obscurity" because it has proven not to work. However, I don't believe that the answer to your question is that simple - I think your question is more of a "risk reduction" question but could be wrong.

Quite often in the security community, we simply say "no". Choosing something because it's not "popular" or doesn't have as a big a market share, however, isn't a straightforward "no" imho.From your question, imho, I don't believe that you are suggesting a "security through obscurity" policy.

I have seen examples of people employing a successful strategy using "less popular" software. It is important to note though that it's quite often a short-term solution, very much not a long-term thing.

I'm pretty sure that it's a fact that the vast majority of attackers will target the technology that is used by the majority of the people, that's generally why Windows, Internet Explorer, Adobe Acrobat were all targeted (as well as the fact that some of the code was very poor). Later Windows and IE (IE9 is significantly more secure) releases have been dramatic improvements on their predecessors from a security point of view both because they've taken such a tanking from attackers and the security community as well as losing market share (possibly more hurtful). However, despite these security improvements, Microsoft is still targeted, Patch Tuesday is still quite often "huge" and it's because of their large user-base (a big target).

For example, I know of people who moved from Windows to Mac because it had less market share and was deemed "more secure", remember the Apple campaign.
As Apple have become more popular, they've been targeted much more and there is a lot more malware specifically for MAC now then when it wasn't as popular so surely that would confirm your suggestion, that yes it was more secure when it wasn't as popular. It's not the underlying infrastructure that's made it more insecure but generally all the nice apps that Apple adds on and it adds these on to please users, mostly new users who aren't as technical as its original user base. It's not to say they were "more" secure before Steve Jobs took over the world but I believe it's safe to say, that you were less "at risk" from being attacked using a Mac 6-8 years ago than you are today.

I know folk now moving from Mac to Linux to remove themselves from the Mac "attack surface". Whether Linux will become as popular as Mac on the desktop is another question but there are many reasons why using Linux as desktop is secure (too many for here), not least because the person using Linux is most likely technically savvy and aware of the risks) but "less popular/less of a target" can be one of them.

Similarly with Adobe, their software was attacked because of the huge target base that a successful exploit could compromise - there are vulnerabilites in other PDF software but they weren't attacked to the same degree (were they?). They're still being attacked because it's the predominant solution for reading/writing PDFs and vulnerabilities despite securing their software so much more (e.g. their sandboxing technology)

I know of plenty of folk that use Opera or less popular browsers for browsing certain important sites because whilst there are vulnerabilities in that software also (as there is in all software), they're not as well known or as well targeted. You are much more likely to receive an email with a link to a web-site that contains a payload to exploit a Firefox, IE or Chrome vulnerability.

@Pepe also makes a very good point regarding ensuring the software that you are using is maintained and regularly patched (Opera certainly is). I'd also add ensure it's a reputable project, do some digging on the Internet to check out the community/person behind the software - Sourceforge is awesome but it does host some "interesting" stuff to say the least. If in doubt, ask on Security Stackexchange :)

In summary, I don't think it necessarily makes you more secure but if you have your head screwed on, are aware of the risks etc then I do believe such a philosophy can be used to successfully reduce your risk, if used correctly as part of an overall defence-in-depth strategy and you don't rely on it totally.

In practical terms, there's a certain amount of security to be gained by "flying under the radar" if such a thing is an option for you.
I've seen thousands of readily-exploitable PHP applications that never get any attention and never get exploited "in the wild", while even the slightest misstep in a Wordpress or Joomla extension will quickly become widely exploited. Statistically speaking, if a mistake in your application doesn't show up on Exploit-DB or in CERT, then it likely won't be exploited by automated scanning bots. And exploits by automated bots are your biggest concern if you're a "nobody" on the Internet.

But as a long-term solution, this is a risky sort of shelter to seek.
All it takes is one opportunist who notices a mistake in your application to completely ruin your entire strategy. Popular applications become popular largely because they're well supported, well managed, and quickly updated. Less-popular software is often abandoned or infrequently updated. A mistake in such a program may never get updated at all. And changing platforms down the road will probably be a non-option. If no one knows about your app, then it's unlikely that a migration tool will exist -- you'll be stuck and in a disaster.

Also, certain classes of dangers can be generically scanned for --
This includes remote inclusion bugs, SQL injection exploits, and a few others. The attacker doesn't need to know ahead of time what software you're running or whether or not its vulnerable. Instead, he can look for certain patterns that often accompany an exploitable component even if he doesn't know what that component is.

In this scenario, poorly-written software will bite you anywhere, even if you wrote it yourself and no one has the source code but you.

Ideally, you should stick with trusted, vetted, well-maintained software, completely regardless of popularity.

If you have to ask, don't use less popular software, because it's harder to find good information about it. I know Google Chrome has very strong sandboxing, and I'm happy telling people that. When it gets broken, you hear about it. Whereas I don't know whether Opera uses sandboxing, or how highly regarded its implementation is.

OTOH, if you are reliably informed that Opera is more secure - and that the security is well-maintained - then feel free to prefer it.

One thing I think no-one has mentioned is the "bypass" factor. Your more obscure software is likely to lack some useful feature. (E.g. working well with a certain website). If users are forced to switch software sometimes, perhaps without the same chance to use a prepared safe solution, then they could be losing the protection... maybe even getting the worst of both worlds.

It's a good question but I do not have a specific and clear answer that you can use for all situations. Of course, it depends on the situations and the software and application that you want to use.

For your example, a browser, I think it's better to use a popular but open source browser that can give you a lot of security extensions. Using that as a guide we have several web browsers to choose from. With these security extensions, and their popularity, we can be almost sure about the code, but you should know that it is not only hackers that threaten security but sometimes the developers themselves. So take a fast look at the company privacy policy and use that to help guide your choice. This method can be use for other applications as well.

Do you have any research or other sources to indicate that popularity is a good measure of trustworthiness of software? After all, phpMyAdmin is very popular and has a terrible track record.
– Scott PackAug 22 '12 at 11:36

@ScottPack : The thing I mean is, the popularity factor should be consider with other factors.They can supply security together.and I think security is not the thing that can be supplied by one factor only.Anyway it's my opinion and I don't have any official research on this field.I hope you understand what I mean.
– anonyAug 23 '12 at 14:15

There is no link between popular and non-popular software in terms of security in general.
All browsers can be exploited one way or another, which is happening a lot. It's even not safe to use wget or similar tool with known and future vulnerabilities on some websites without caging it.

Everything what connects to internet and it's parsing the HTML is potentially exposed to various attacks especially if the client-side code is run.

Because of this, the browser run is best to be caged / switched to another user without ability to capture screen / drop files to the current user account running e.g. email.

You would not run email and web on the same server account, why would you run it this way on the desktop pc if it supports caging too, like chrome does, so maybe you can try with MSIE 9 too (very secure), chrome, but firefox? As most popular browser, doesnt seem to be secure AT THE MOMENT, and the historical track of bugs is irrelevant, as what matters is the current version. But what is the security of firefox I am not sure but it's a new feature (plugin isolation), and you would need more support from the OS to actually isolate it.

In Linux, you can run it thru "sudo" or via SELinux/AppArmor, in Windows you do this:

And that the test user is not having password "test" or "password" and it's not in administrator group.

With this, you can run a very dangerous websites and in any case you just wipe the account. You dont setup it's write permissions to any files. Mail and web can be kept on the server mapped drive for additional inspection and control.

Hardening the desktop is easier then actually a server. It is because desktops for most of the time statistically run Windows, which can be secured from simple GUI and the bat files with runas are very easy to make, also via GUI.

Can you cite some CVE's for wget getting exploited?
– Bruce EdigerAug 22 '12 at 13:52

1

"And that the test user is not having password "test" or "password"" How the password of the test user relevant?
– curiousguyAug 23 '12 at 4:33

2

I'm confused as to how anything after the first paragraph is relevant to the question.
– PolynomialAug 23 '12 at 10:19

Guys, care to read and understand carefully the context? Also I gave the following statements: 1. no application without extra security is safe today because standard security is bypassed with standard exploits over some time 2. test and passwords are practical examples of easy passwords. I have 6 year old son who is suprised by your answers as he can use PC and understands these issues better as well this post and he requires less explanation to get it, hence I dont feel obligated to give more answers. How is relevant? It's usage scenario of running secure apps. Too much of PC!!!!
– Andrew SmithAug 23 '12 at 23:17